Sunday 11 August 2013

Win kernel

http://www.codeexperts.com/showthread.php?704-What-is-the-difference-between-CreateFile-NtCreateFile-and-ZwCreateFile
CreateFile - Documented public Win API used in user mode. CreateFile does some initialization and then calls NtCreateFile.
NtCreateFile - Undocumented Windows internal API that is used in user mode. Note some internal API's are documented.
ZwCreateFile - Windows API to be called from kernel mode (e.g. Device Drivers ). 

Note: NtCreateFile and ZwCreateFile are identical when calling from user mode. However when calling from Kernel mode the ZwCreateFile sets the previous mode to kernel mode before calling create file function. This gives the ZwCreateFile kernel mode access where Nt version gets user mode access.

Basically the difference between Zw and Nt in kernel mode is that the Zw prefix functions set the previous mode to kernel mode and the Nt prefix functions leave it unchanged. The previous mode is used in parameter validation to determine if the function is called from user mode or kernel mode.

 http://win32assembly.programminghorizon.com/tutorials.html

 http://win32assembly.programminghorizon.com/mmf.txt

 http://giga.cps.unizar.es/~spd/pub/virus/

 http://www.geoffchappell.com/studies/windows/win32/ntdll/api/index.htm
By at August 11, 2013

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)